On 14.02.2008, at 05:22, Greg Helps wrote:
Hi,
My question's probably quite simple, but I'd like to frame it by
explaining my situation first. I come from an environment that uses
Citrix metaframe. A citrix session establishes itself on tcp port 1494
or 2598 by default. All activities utilise this single conversation,
meaning screen drawing, mouse movements, clipboard copies, client-side
drive mapping etc all occur within the same conversation.
Screen redraws, mouse movements and keystrokes are all high priority
activities compared to something like printing. Therefore, the first
two
bytes of the tcp data are not encrypted and contain information about
the payload of the particular packet. From Cisco's description :
The first two bytes of the packet (byte 1 and byte 2) contain the byte
count and the ICA priority tag number. Byte 1 contains the low-order
byte count, and the first two bits of byte 2 contain the priority
tags.
The other six bits contain the high-order byte count.
I'd like to filter by the first two bits of the second byte of the tcp
payload data. I am currently trying variations of the following
display
filter :
(tcp[21] & 0xc0) == 0
This filter is rejected as invalid. Can anyone see what I'm doing
wrong?
can't see it right now neither but try
tcp[21] < 193
which should be logically the same.
Andreas Fink
Global Networks Schweiz AG
---------------------------------------------------------------
Tel: +41-61-6666333 Fax: +41-61-6666331 Mobile: +41-79-2457333
Address: Clarastrasse 3, 4058 Basel, Switzerland
E-Mail: [EMAIL PROTECTED]
Homepage: http://www.global-networks.ch
---------------------------------------------------------------
ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink
Yahoo: finkconsulting SMS: +41792457333
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
